Provable Security Analysis for the Password Authenticated Key Exchange Problem

(1)

Provable Security Analysis for the Password

Authenticated Key Exchange Problem

Ph.D. Thesis Presentation

Presenter: M. Sc. Jose Becerra Supervisors: Prof. Peter Y. A. Ryan

Dr. Dimiter Ostrev May 14, 2019

(2)

Table of Contents 1. Introduction

Motivation and Research Objectives

2. Relation between SIM-based and IND-based security models 3. Forward Secrecy for SPAKE2

PFS-SPAKE2

4. Tight Security Reductions PAK Protocol

5. Summary

(3)

(4)

What is a PAKE

• Password Authenticated Key-Exchange protocol.

• Goal: Establishment of strong cryptographic session keys from low entropy secrets.

• Attacks should be limited toonlinedictionary attacksonly. • A may test at most one password per session during an

active attack.

(5)

What is a PAKE

• Password Authenticated Key-Exchange protocol.

• Goal: Establishment of strong cryptographic session keys from low entropy secrets.

• Attacks should be limited toonlinedictionary attacksonly. • A may test at most one password per session during an

active attack.

(6)

PAKEs Application I

Build secure channels relying only on shared passwords. • No need of PKI.

(7)

PAKEs Application II

Login scenarios while intrinsically protecting the user’s password.

• In 2018, 49% of phishing attacks where performed inhttps web pages (marked as secure by the browser).

• PAKEs prevent the compromise of the user’s password.

(8)

PAKEs Application II

Login scenarios while intrinsically protecting the user’s password.

• In 2018, 49% of phishing attacks where performed inhttps web pages (marked as secure by the browser).

• PAKEs prevent the compromise of the user’s password.

(9)

Motivation and Research Objectives

Our aim is to facilitate the adoption of PAKEs in real-world applications.

1. Examine whether the simulation-based and

indistinguishability-based security notions for PAKEs are equivalent.

2. Investigate whether the SPAKE2 protocol provably satisﬁes some meaningful notion of forward secrecy.

3. Investigate the relevance of tight security reductions for PAKE protocols.

We consider the computational-complexity approach in our analysis.

(10)

(11)

Security Models for PAKEs

IND-based

1. Find then Guess (IND-FtG) [BPR00]

2. Real or Random (IND-RoR) [AFP05]

SIM-based

• Boyko Mackenzie and Patel (SIM-BMP) [BMP00]

• Universally Composable PAKEs (UC) [CHKM05]

(12)

IND-RoR SIM-BMP

IND-FtG SIM-UC

Fig. 1: Known relations between PAKE security deﬁnitions.

(13)

IND-RoR SIM-BMP

IND-FtG SIM-UC

?

Fig. 2: Known relations between PAKE security deﬁnitions.

(14)

Real or Random Security Model (IND-RoR)

• Security deﬁned by a game playedCH and A.

• initUser (U)

• initInstance (U, i, pid) • Send (U, i, m) • Execute (U, i, U′_,_i′₎

• Corrupt (U) • Test (U, i)

• if b = 1 real session key. • if b = 0 random string.

Deﬁnition

Protocol P satisﬁes RoR security if∀ PPT A: AdvRoR

P (A) ≤ _|D|k + negl(λ)

k: number of active instances

(15)

Simulation-based Security Model (SIM-BMP) I

Real World

• Real execution of the protocol.

• The adversary controls the network.

RW adv. is given access to the following queries:

• initUser (U).

• initInstance (U, i, pid). • Send (U, i, m). • Corrupt(U) • Application (f, U, i).

Transcript: RW(B)

(16)

Simulation-based Security Model (SIM-BMP) II Ideal World

• Deﬁnes the ideal functionality for a PAKE. • Secure by deﬁnition.

IW adv. (or simulator) is given access to the following queries:

• initUser (U).

• initInstance (U, i, pid). • Abort user instance (U, i). • Test instance password (U, i, π′_).

• Start session (U, i). • Application (f, U, i). • Implementation.

Transcript: IW(B∗₎

(17)

Simulation-based Security Model (SIM-BMP) III

Deﬁnition

Protocol P is SIM-BMP secure if:

∀B ∃B∗ s.t. RW(B)≈cIW(B∗) No assumption is made about the distribution of passwords.

(18)

SIM-BMP→ IND-RoR I

Theorem (SIM-BMP→ IND-RoR)

If protocol P satisﬁes SIM-BMP security, then P also satisﬁes IND-RoR security.

(19)

SIM-BMP→ IND-RoR II • We construct B fromA.

• The output is RW(B).

By SIM-BMP security deﬁnition: ∀B ∃B∗ _{s.t. RW(B)}_≈ cIW(B∗) • Build a distinguisherD(trx). 1← D(·) if real-world trx. 0← D(·) if ideal-world trx. AdvRoR P (A) ≤ k |D|+ negl(λ) · · · then P is IND-RoR secure. B, B∗_{are real-world and ideal-world adv. in SIM-BMP.}

A is the adv. in RoR.

(20)

By SIM-BMP security deﬁnition:

∀B ∃B∗ _{s.t. RW(B)}_≈ cIW(B∗) • Build a distinguisherD(trx). 1← D(·) if real-world trx. 0← D(·) if ideal-world trx. AdvRoR P (A) ≤ k |D|+ negl(λ) · · · then P is IND-RoR secure. B, B∗_{are real-world and ideal-world adv. in SIM-BMP.}

(21)

By SIM-BMP security deﬁnition:

∀B ∃B∗ _{s.t. RW(B)}_≈ cIW(B∗) • Build a distinguisherD(trx). 1← D(·) if real-world trx. 0← D(·) if ideal-world trx. AdvRoR P (A) ≤ k |D|+ negl(λ) · · · then P is IND-RoR secure. B, B∗_{are real-world and ideal-world adv. in SIM-BMP.}

(22)

IND-RoR vs SIM-BMP

IND-RoR SIM-BMP

IND-FtG SIM-UC

?

Fig. 3: Could not prove by contradiction the implication.

(23)

SIM Security: Online Dictionary Attacks

SIM-BMP 1. Incorporate in the IW, the non-negligible probability of an adversary guessing the password.

• test instance password (U, i, π′).

P is SIM-BMP secure if∀D: ∀B ∃B∗ _{s.t. RW(B)}_≈

cIW(B∗)

SIM-BMP’

2. Do not incorporate in the IW the non-negligible probability of guessing the password.

• Relax the indistinguishability requirement.

P is SIM-BMP’ secure if∀D: ∀B ∃B∗ _{s.t. RW(B)}k/|D|_{≈ IW(B}∗₎

k: number of active instances D: password dictionary

(24)

SIM-BMP’ Security Model

Deﬁnition

Protocol P is SIM-BMP’ secure if:

∀B ∃B∗ _{s.t. RW(B)}k/|D|_{≈ IW(B}∗₎

(25)

SIM-BMP’ Security Model II

Theorem (SIM-BMP’→ IND-RoR)

If protocol P satisﬁes SIM-BMP’ security, then P also satisﬁes IND-RoR security.

Theorem (IND-RoR→ SIM-BMP’)

If protocol P satisﬁes IND-RoR security, then P also satisﬁes SIM-BMP’ security.

(26)

IND vs SIM Comparison Results

Our results (in blue) are summarized in the following diagram:

Without Forward Secrecy With Forward Secrecy

SIM-BMP′ _FS-SIM-BMP′

IND-RoR SIM-BMP FS-IND-RoR FS-SIM-BMP

IND-FtG SIM-UC

Fig. 4: Relation between PAKE security deﬁnitions.

(27)

(28)

SPAKE2

• PAKE protocol by Abdalla and Pointcheval (CT-RSA 2005). • One round protocol.

• Currently in the process of standardization by the IEFT. • Proven secure in the IND-FtG security model (BPR).

... but without forward secrecy.

(29)

SPAKE2 - Description Client C Server S Public: M, N∈ G; Secret: π ∈ Zq x $ ←− Zq, X := gx y←− Z$ q, Y := gy X∗_:=_X_{· M}π _Y∗₌_Y_{· N}π X∗ Y∗ σ := (_NY∗π)x σ := (X ∗ Mπ)y sk := H(C, S, X∗_,_Y∗_{, σ, π)} _{sk := H(C, S, X}∗_,_Y∗_{, σ, π)} Fig. 5: SPAKE2 protocol.

(30)

Forward Secrecy

“It ensures the protection of session keys even if the long-term secret of the participants gets later compromised” [DOW92].

• Weak Forward Secrecy (wFS).

Session keys generatedwithout the active interventionof

A, should remain secret to A,regardlessany Corrupt

query.

• Perfect Forward Secrecy (PFS).

Session keys established before any Corrupt (U) query should remain secret to the adversary.

• It is difﬁcult to prove PFS for 1-round protocols with only implicit authentication.

(31)

Forward Secrecy

“It ensures the protection of session keys even if the long-term secret of the participants gets later compromised” [DOW92].

• Weak Forward Secrecy (wFS).

Session keys generatedwithout the active interventionof

A, should remain secret to A,regardlessany Corrupt

query.

• Perfect Forward Secrecy (PFS).

Session keys established before any Corrupt (U) query should remain secret to the adversary.

• It is difﬁcult to prove PFS for 1-round protocols with only

implicit authentication.

(32)

Perfect vs week Forward Secrecy

Fig. 6:Sessions protected with PFS. Fig. 7:Sessions protected with wFS.

(33)

Perfect vs week Forward Secrecy

Fig. 6:Sessions protected with PFS. Fig. 7:Sessions protected with wFS.

(34)

SPAKE2 - Problematic Scenario

Adv.A(C) _{Server S}

x $ ←− Zq, X := gx y←− Z$ q, Y := gy X∗_:=_X_{· M}π1 X∗ _Y∗₌_Y_{· N}πc σ := (_MX_πc∗ )y Y∗ sk := H(C, S, X∗_,_Y∗_{, σ, π} c)

• An active adversary tries to impersonate C to S.

• Only implicit authentication : Server accepts (and might use) sk without conﬁrming its intended partner.

(35)

x← Zq, X := gx y← Zq, Y := gy X∗_:=_X_{· M}π1 X∗ _Y∗₌_Y_{· N}πc σ := (_MXπ∗c)y Y∗ sk := H(C, S, X∗_,_Y∗_{, σ, π}_c) .. . Corrupt (S)

1. Perfect Forward Secrecy. • sk must be secret toA. 2. Weak Forward Secrecy.

• Does not guarantee the secrecy of sk.

(36)

x← Zq, X := gx y← Zq, Y := gy X∗_:=_X_{· M}π1 X∗ _Y∗₌_Y_{· N}πc σ := (_MXπ∗c)y Y∗ sk := H(C, S, X∗_,_Y∗_{, σ, π}_c) .. . Corrupt (S)

1. Perfect Forward Secrecy. • sk must be secret toA.

2. Weak Forward Secrecy.

• Does not guarantee the secrecy of sk.

(37)

SPAKE2 - weak Forward Secrecy

Theorem

SPAKE2 is secure in the BPR model with weak Forward Secrecy under the CDH and CSDH assumptions:

AdvwFS-FtG_P (A) ≤ nse |D| + O ( (n_se+n_ex)(n_se+n_ex+n_ro) q + nro· AdvCDHG (BA) +nsenro· AdvCDHG ( ˆBA) + (n_ro)2· AdvCSDH_G ( ˜BA) ) . D: password dictionary nse: number of Send queries nex: number of Execute queries nro: number of random oracle queries

(38)

PFS-SPAKE2

• Incorporating key-conﬁrmation codes to SPAKE2 results in PFS-SPAKE2.

• Explicit mutual authentication. • Remove one CRS.

• Computationally more efﬁcient (client side).

(39)

(40)

PFS-SPAKE2 - Security

Theorem

PFS-SPAKE2 is secure in the BPR model with Perfect Forward Secrecy under the CDH assumption:

AdvwFS-FtG_P (A) ≤ nse |D| +O ( (n_se+n_ex)(n_se+n_ex+n_ro) q + nro· AdvCDHG (BA) + nsenro· AdvCDHG ( ˆBA) + (n_ro)2· AdvCDH_G ( ˜BA) ) . D: password dictionary nse: number of Send queries nex: number of Execute queries nro: number of random oracle queries

(41)

(42)

Tight Reductions Hard Problem π advantage = ϵπ running time = tπ Protocol P advantage = ϵ running time = t

An adversary running in time t with advantage ϵ give us a

π-solver running in time tπ with advantage ϵπ.

• The protocol is secure if such solver does not exist.

(43)

Tight Reductions Hard Problem π advantage = ϵπ running time = tπ Protocol P advantage = ϵ running time = t

The reduction istightif

ϵ

t =c·

ϵπ

tπ

.

• Preserve strength of hardness assumption.

(44)

Why Tight Reductions?

The reduction is not tight if: ϵ >> ϵπ or tπ >>t. • ϵ≤L· ϵπ, for large L:security degradation factor. For instance consider:

• Desired security level of 150 bits for the protocol. • L = 240_{degradation factor.}

ϵ≤ L · ϵπ 2−150=240· 2−190

• Then the hardness assumption needs to provide at least 190 bits of security→larger parameters and less efﬁcient impl.

(45)

PAK Protocol

• Boyko, Mackenzie and Patel 2001.

• PAKE protocol with explicit mutual authentication. • Low computation and communication cost. • Satisﬁes forward secrecy.

• Currently under consideration by IETF for standardization.

• Patent expired in 2017.

(46)

Initialization Public:G, g, q; H : {0, 1}∗→ G; H1,H2,H3:{0, 1}∗_{→ {0, 1}}k_; Client Server Secret: π πS[C] = (H(πC))−1 x $ ←− Zq, α := gx γ :=H1(π) m := α· γ C, m _y $ ←− Zq, µ := gy γ′:= πS[C] σ := (m· γ′)y,i.e. σ = DH(α, µ) k := H2(C, S, m, µ, σ, γ′) k′′:=H3(C, S, m, µ, σ, γ′) σ := µx,i.e. σ = DH(α, µ) µ,k _{sk := H}₄(C, S, m, µ, σ, γ′) γ′:= γ−1 abort if k̸= H2(C, S, m, µ, σ, γ′) k′:=H3(C, S, m, µ, σ, γ′) sk := H4(C, S, m, µ, σ, γ′) k′ abort if k′̸= k′′

Fig. 8: PAK protocol.

(47)

Non-tight Reduction in PAK I PAK security proof is not tight:

AdvPAK_G (A) ≤ nse

|D| +O

(

nse· (nro)2· AdvCDHG (BA)

)

We consider realistic parameters:

• G has order q = 2256_{→ Adv}CDH

G ≤ 2−128. • nse≈ 230: Number of Send queries.

• nro≈ 263: Number of random oracle queries.

nse· (nro)2· AdvCDH_G (BA) >>1 . . . is meaningless.

(48)

Non-tight Reduction in PAK II

• Instantiation over prime order groups. • Both CDH and DDH are hard. • Security proof relies on the CDH

assumption and RO model. • Construct a CDH-solver algorithm:

H(m, µ,· · · ,σ1, π) H(m, µ,· · · ,σ₂, π)

...

H(m, µ,· · · ,σ_ro, π)

How can the simulator choose thecorrectσs.t.

(49)

H(m, µ,· · · ,σ1, π) H(m, µ,· · · ,σ₂, π)

...

H(m, µ,· · · ,σ_ro, π)

(50)

H(m, µ,· · · ,σ1, π) H(m, µ,· · · ,σ₂, π)

...

H(m, µ,· · · ,σ_ro, π)

(51)

Tightly-secure PAK Our solution:

• Instantiate PAK over Gap Difﬁe-Hellman groups, e.g.

billinear groups.

• Tight reduction from Gap-DH. Theorem

AdvPAK(A) ≤ nse

|D| +8· Adv

Gap-DH

G (BA)

More efﬁcient implementations.

• PAK andG provide the same security level w.r.t. the Gap-DH problem.

(52)

Tightly-secure PAK Our solution:

• Instantiate PAK over Gap Difﬁe-Hellman groups, e.g.

billinear groups.

• Tight reduction from Gap-DH. Theorem

AdvPAK(A) ≤ nse

|D| +8· Adv

Gap-DH

G (BA)

More efﬁcient implementations.

• PAK andG provide the same security level w.r.t. the Gap-DH problem.

(53)

(54)

Summary of our Contributions

• Proved that the original SPAKE2 satisﬁes weak Forward Secrecy.

• SPAKE2 with key-conﬁrmation codes satisﬁes Perfect Forward Secrecy.

• Tight security reduction for the PAK protocol.

• The same technique could be applied to other EKE-based protocols, e.g. PPK, SPAKE2.

• Comparison between SIM-BMP and IND-RoR security models for PAKEs.

• SIM-BMP−→ IND-RoR.

• SIM-BMP’←→ IND-RoR.

(55)

Q & A

Provable Security Analysis for the Password Authenticated Key Exchange Problem

Provable Security Analysis for the Password

Authenticated Key Exchange Problem

Thanks !!!